diff --git a/doc b/doc index 189dddc9e8..f2607e2fab 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 189dddc9e80cf3649672e491a5d89e200d3248f6 +Subproject commit f2607e2fab4f83062bc7b3a35bb5f4a7993521c8 diff --git a/scripts/policy/files/x509/log-ocsp.zeek b/scripts/policy/files/x509/log-ocsp.zeek deleted file mode 100644 index e1033fbf83..0000000000 --- a/scripts/policy/files/x509/log-ocsp.zeek +++ /dev/null @@ -1 +0,0 @@ -@deprecated("Remove in v5.1. OCSP logging is now enabled by default") diff --git a/scripts/policy/protocols/ssl/extract-certs-pem.zeek b/scripts/policy/protocols/ssl/extract-certs-pem.zeek deleted file mode 100644 index 2dde9c04b0..0000000000 --- a/scripts/policy/protocols/ssl/extract-certs-pem.zeek +++ /dev/null @@ -1,56 +0,0 @@ -@deprecated "Remove in v5.1. Use log-certs-base64.zeek instead." - -##! This script is used to extract host certificates seen on the wire to disk -##! after being converted to PEM files. The certificates will be stored in -##! a single file, one for local certificates and one for remote certificates. -##! -##! .. note:: -##! -##! - It doesn't work well on a cluster because each worker will write its -##! own certificate files and no duplicate checking is done across the -##! cluster so each node would log each certificate. -##! - -@load base/protocols/ssl -@load base/files/x509 -@load base/utils/directions-and-hosts - -module SSL; - -export { - ## Control if host certificates offered by the defined hosts - ## will be written to the PEM certificates file. - ## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS. - option extract_certs_pem = LOCAL_HOSTS; -} - -# This is an internally maintained variable to prevent relogging of -# certificates that have already been seen. It is indexed on an sha1 sum of -# the certificate. -global extracted_certs: set[string] = set() &read_expire=1hr &redef; - -event ssl_established(c: connection) &priority=5 - { - if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || - ! c$ssl$cert_chain[0]?$x509 ) - return; - - if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) ) - return; - - local hash = c$ssl$cert_chain[0]$sha1; - local cert = c$ssl$cert_chain[0]$x509$handle; - - if ( hash in extracted_certs ) - # If we already extracted this cert, don't do it again. - return; - - add extracted_certs[hash]; - local filename = Site::is_local_addr(c$id$resp_h) ? "certs-local.pem" : "certs-remote.pem"; - local outfile = open_for_append(filename); - enable_raw_output(outfile); - - print outfile, x509_get_certificate_string(cert, T); - - close(outfile); - } diff --git a/scripts/policy/protocols/ssl/notary.zeek b/scripts/policy/protocols/ssl/notary.zeek deleted file mode 100644 index 0fc7f07c03..0000000000 --- a/scripts/policy/protocols/ssl/notary.zeek +++ /dev/null @@ -1,106 +0,0 @@ -@deprecated("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).") - -@load base/protocols/ssl - -module CertNotary; - -export { - ## A response from the ICSI certificate notary. - type Response: record { - first_seen: count &log &optional; - last_seen: count &log &optional; - times_seen: count &log &optional; - valid: bool &log &optional; - }; - - ## The notary domain to query. - option domain = "notary.icsi.berkeley.edu"; -} - -redef record SSL::Info += { - ## A response from the ICSI certificate notary. - notary: Response &log &optional; - }; - -# The DNS cache of notary responses. -global notary_cache: table[string] of Response &create_expire = 1 hr; - -# The records that wait for a notary response identified by the cert digest. -# Each digest refers to a list of connection UIDs which are updated when a DNS -# reply arrives asynchronously. -global waitlist: table[string] of vector of SSL::Info; - -function clear_waitlist(digest: string) - { - if ( digest in waitlist ) - { - for ( i in waitlist[digest] ) - SSL::undelay_log(waitlist[digest][i], "notary"); - delete waitlist[digest]; - } - } - -event ssl_established(c: connection) &priority=3 - { - if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || - ! c$ssl$cert_chain[0]?$sha1 ) - return; - - local digest = c$ssl$cert_chain[0]$sha1; - - if ( digest in notary_cache ) - { - c$ssl$notary = notary_cache[digest]; - return; - } - - SSL::delay_log(c$ssl, "notary"); - - local waits_already = digest in waitlist; - if ( ! waits_already ) - waitlist[digest] = vector(); - waitlist[digest] += c$ssl; - if ( waits_already ) - return; - - when [digest] ( local str = lookup_hostname_txt(fmt("%s.%s", digest, domain)) ) - { - notary_cache[digest] = []; - - # Parse notary answer. - if ( str == "" ) # NXDOMAIN - { - clear_waitlist(digest); - return; - } - local fields = split_string(str, / /); - if ( |fields| != 5 ) # version 1 has 5 fields. - { - clear_waitlist(digest); - return; - } - local version = split_string(fields[0], /=/)[1]; - if ( version != "1" ) - { - clear_waitlist(digest); - return; - } - local r = notary_cache[digest]; - r$first_seen = to_count(split_string(fields[1], /=/)[1]); - r$last_seen = to_count(split_string(fields[2], /=/)[1]); - r$times_seen = to_count(split_string(fields[3], /=/)[1]); - r$valid = split_string(fields[4], /=/)[1] == "1"; - - # Assign notary answer to all records waiting for this digest. - if ( digest in waitlist ) - { - for ( i in waitlist[digest] ) - { - local info = waitlist[digest][i]; - SSL::undelay_log(info, "notary"); - info$notary = r; - } - delete waitlist[digest]; - } - } - } diff --git a/scripts/test-all-policy.zeek b/scripts/test-all-policy.zeek index eb089a9aa2..902a5163d8 100644 --- a/scripts/test-all-policy.zeek +++ b/scripts/test-all-policy.zeek @@ -67,7 +67,6 @@ @load files/unified2/__load__.zeek @load files/unified2/main.zeek @load files/x509/disable-certificate-events-known-certs.zeek -@load files/x509/log-ocsp.zeek @load frameworks/packet-filter/shunt.zeek @load frameworks/software/version-changes.zeek @load frameworks/software/vulnerable.zeek @@ -129,13 +128,11 @@ @load protocols/ssh/software.zeek @load protocols/ssl/decryption.zeek @load protocols/ssl/expiring-certs.zeek -# @load protocols/ssl/extract-certs-pem.zeek @load protocols/ssl/heartbleed.zeek @load protocols/ssl/known-certs.zeek @load protocols/ssl/log-certs-base64.zeek @load protocols/ssl/ssl-log-ext.zeek @load protocols/ssl/log-hostcerts-only.zeek -#@load protocols/ssl/notary.zeek @load protocols/ssl/validate-certs.zeek @load protocols/ssl/validate-ocsp.zeek @load protocols/ssl/validate-sct.zeek diff --git a/scripts/zeekygen/__load__.zeek b/scripts/zeekygen/__load__.zeek index 39314a04ac..b851676351 100644 --- a/scripts/zeekygen/__load__.zeek +++ b/scripts/zeekygen/__load__.zeek @@ -2,7 +2,6 @@ # Scripts which are commented out in test-all-policy.zeek. @load protocols/ssl/decryption.zeek -@load protocols/ssl/notary.zeek @load frameworks/control/controllee.zeek @load frameworks/control/controller.zeek @load frameworks/management/agent/main.zeek @@ -12,7 +11,6 @@ @load frameworks/files/extract-all-files.zeek @load policy/misc/dump-events.zeek @load policy/protocols/conn/speculative-service.zeek -@load policy/protocols/ssl/extract-certs-pem.zeek @load ./example.zeek diff --git a/testing/btest/Baseline/coverage.bare-mode-errors/errors b/testing/btest/Baseline/coverage.bare-mode-errors/errors index d179d2c6ff..b1bb951e92 100644 --- a/testing/btest/Baseline/coverage.bare-mode-errors/errors +++ b/testing/btest/Baseline/coverage.bare-mode-errors/errors @@ -1,9 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### NOTE: This file has been sorted with diff-sort. -warning in <...>/extract-certs-pem.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:15 "Remove in v5.1. Use log-certs-base64.zeek instead." -warning in <...>/extract-certs-pem.zeek, line 1: deprecated script loaded from command line arguments "Remove in v5.1. Use log-certs-base64.zeek instead." -warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:70 ("Remove in v5.1. OCSP logging is now enabled by default") -warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:70 ("Remove in v5.1. OCSP logging is now enabled by default") -warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from command line arguments ("Remove in v5.1. OCSP logging is now enabled by default") -warning in <...>/notary.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:5 ("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).") -warning in <...>/notary.zeek, line 1: deprecated script loaded from command line arguments ("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).") diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.extract-certs-pem/certs-remote.pem b/testing/btest/Baseline/scripts.policy.protocols.ssl.extract-certs-pem/certs-remote.pem deleted file mode 100644 index 88323d892d..0000000000 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.extract-certs-pem/certs-remote.pem +++ /dev/null @@ -1,27 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ------BEGIN CERTIFICATE----- -MIIEfDCCA+WgAwIBAgIQBKeBFvADKDvaK4RiBJ+eyzANBgkqhkiG9w0BAQUFADCB -ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy -aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy -dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg -SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w -NjExMTQwMDAwMDBaFw0wNzExMTQyMzU5NTlaMIHAMQswCQYDVQQGEwJERTEPMA0G -A1UECBMGQmF5ZXJuMREwDwYDVQQHFAhNdWVuY2hlbjE3MDUGA1UEChQuQUdJUyBB -bGxpYW56IERyZXNkbmVyIEluZm9ybWF0aW9uc3N5c3RlbWUgR21iSDEzMDEGA1UE -CxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTAwMR8w -HQYDVQQDFBZ3d3cuZHJlc2RuZXItcHJpdmF0LmRlMIGfMA0GCSqGSIb3DQEBAQUA -A4GNADCBiQKBgQDrqHR+++O06r6LHD3t6oYEYlHgKlqehm+Yy7zF7cXIyladTJJY -4WsTb7y35S6YQPeP1qPACqtGUhs4/AUg54Duxl3VuwP8xYO6mmcI/Sy6owiU8LMf -Fij2BWZbv3+oWfq+mWs2YrhuxoNHU2MPWrRRwYioVbnUMW09KkqVCtF7hwIDAQAB -o4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7oDmg -N4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRpb25hbFNl -cnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIB -FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCGSAGG -+EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEF -BQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEMBGEwX6Fd -oFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrU -SBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMA0G -CSqGSIb3DQEBBQUAA4GBAC9z4m/BniN+WVCJlXhv6QS9mFRTYOwIUtIKKZKabarV -sWfBYt7JGE5XPWmcsgNmkgO76E3FmNQvQtm20uCXEFh2z+fWp8y72yXuQl3L8HSr -0lTl6LpRD6TDPjT6UvKg5nr0j9x2Qr09/HjAt+teLR/FoF7foBGH+MNYEMh5KPjk ------END CERTIFICATE----- diff --git a/testing/btest/scripts/base/protocols/ssl/keyexchange.test b/testing/btest/scripts/base/protocols/ssl/keyexchange.test index dc8d658f85..36036932cc 100644 --- a/testing/btest/scripts/base/protocols/ssl/keyexchange.test +++ b/testing/btest/scripts/base/protocols/ssl/keyexchange.test @@ -16,7 +16,6 @@ @load base/protocols/ssl @load base/files/x509 -@load protocols/ssl/extract-certs-pem module SSL; @@ -48,11 +47,6 @@ export { client_dh_Yc: string &log &optional; client_ecdh_point: string &log &optional; }; - - ## Control if host certificates offered by the defined hosts - ## will be written to the PEM certificates file. - ## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS. - redef extract_certs_pem = ALL_HOSTS; } event ssl_established(c: connection) &priority=5 diff --git a/testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.zeek b/testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.zeek deleted file mode 100644 index d84da10256..0000000000 --- a/testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.zeek +++ /dev/null @@ -1,6 +0,0 @@ -# @TEST-EXEC: zeek -b -r $TRACES/tls/ssl.v3.trace %INPUT -# @TEST-EXEC: btest-diff certs-remote.pem - -@load protocols/ssl/extract-certs-pem - -redef SSL::extract_certs_pem = ALL_HOSTS;